CN103746810A - Anonymous sign-cryption method from certificate public key system to identity public key system - Google Patents

Abstract

The invention discloses an anonymous sign-cryption method from certificate public key system to identity public key system. The specific process is as follows: a parameter is randomly selected from public key function database, and a system public key and a system private key of the certificate public key system and the identity public key system are generated; according to the system parameter and the public and private keys, the public and private keys of a user are generated; by using the identity of private key and identity public key system user of bilinear pairings and certificate public key system user, a message is anonymously signcrypted, and a ciphertext is sent to a recipient; the recipient based on the bilinear pairings and the own private key unsigncryptes the received, while identificating the sender's identity. The invention has advantages of simple process and high transmission efficiency, and can be used for realizing confidentiality, authentication and anonymity from certificate public key system to identity public key system to transmit a message.

Description

Anonymity label decryption method from certificate public key cryptosyst to identity public key system

Technical field

The invention belongs to field of information security technology, relate to anonymous label close, specifically an efficient anonymity label decryption method from certificate public key cryptosyst to identity public key system, can be used for realizing confidentiality, authentication property and the anonymity from certificate public key cryptosyst to identity public key system message transfer.

Background technology

Along with the fast development of computer network and the communication technology, the information transmission of carrying out between people is more and more frequent.Yet because transmitted information often relates to some sensitive informations, and the such open network of computer network and wireless communication networks has very large fragility, so information security issue highlights day by day.The theoretical foundation of information security is contemporary cryptology, and confidentiality and authentication property are two important Security Targets in cryptography.The confidentiality of message can realize by encryption technology, and the authentication property of message can be realized by digital signature technology.Yet a lot of practical applications not only need to realize confidentiality, also need to realize authentication property, such as ecommerce and Email simultaneously.

In order to realize confidentiality and the authentication property of transmission of messages simultaneously, can adopt traditional " first sign and encrypt afterwards " method, yet the efficiency of this method is conventionally lower.In order to address this problem, Zheng proposed the concept of " signing close " in 1997.Sign and closely can in a rational logic step, complete the function of digital signature and public key encryption simultaneously, and its amount of calculation and communications cost all will be lower than traditional " first sign and encrypt afterwards " methods, thereby it is to realize not only maintaining secrecy but also the comparatively desirable method of authentication ground message transfer.

In 1976, Diffie and Hellman delivered the paper about cryptographic new direction, had proposed first the thought of public key cryptography, had started new era of contemporary cryptology.Measured Digital Signature Algorithm DSA (Digital Signature Algorithm), Korea S scholar Shin, Lee and Shim have proposed two kinds of practical label decryption methods in 2002.Traditional common key cryptosystem, it is certificate common key cryptosystem, although overcome size of key problem and the cipher key distribution problem of symmetric cryptosystem, and user's private key only has user oneself to know, confidentiality is more intense, but also there is a shortcoming in certificate public key cryptosyst: need to manage a large amount of certificates, task is heavy.In certificate public key cryptosyst, a user, before sending message to other users, need to search targeted customer's public key certificate, and the legitimacy of certificate and validity are verified.Searching, store, verify and cancel etc. of certificate all can bring larger computing cost and storage overhead.In order to overcome the above-mentioned shortcoming of certificate public key cryptosyst, the cryptography that Shamir proposed based on identity in 1984.Therefore in identity public key system, user's identity is PKI, the certificate of necessity not.Yet until calendar year 2001, ability has been proposed the encipherment scheme based on identity of first practicality by Boneh and Franklin.In 2002, American scholar Lynn proposed the close scheme of first label based on identity.British scholar Chen and Malone-Lee have proposed a close scheme of the label based on identity that efficiency is higher in 2005.Based on bilinearity pair, the people such as Brazilian scholar Barreto have constructed a close scheme of label based on identity more efficiently.In 2006, Chinese scholar Duan and Cao constructed the close scheme of the label based on identity with multi-receiver.In 2009, India scholar Selvi, Vivek and Srinivasan have proposed the higher close scheme of the label based on identity with multi-receiver of efficiency.

Yet existing label decryption method is mostly only supported a kind of system, or is certificate public key cryptosyst, or be identity public key system.In actual applications, different mechanisms may adopt different common key cryptosystems.When the user A of certificate public key cryptosyst wants to send message to the user B of identity public key system, first A will do the signature based on certificate to message, again signature is done to the encryption based on identity, or need in identity public key system, apply for a pair of public and private key, and then use the label secret skill art based on identity message to be signed close, signing dense literary composition, send to B, the efficiency of these two kinds of methods is all lower, and has increased the complexity of system.In 2010, Chinese scholar Sun and Li constructed the label decryption method between certificate public key cryptosyst and identity public key system.Yet in actual applications, in order to protect the privacy of oneself, the sender of message does not often want to allow any third party learn the source of message.The existing label decryption method from certificate public key cryptosyst to identity public key system, because sender's PKI is directly placed in, sign in dense literary composition, thereby prior art can not realize the anonymity of pass-along message, revealed user's privacy.

Summary of the invention

The object of the invention is to improve fail safe and the efficiency from certificate public key cryptosyst to identity public key system message transfer, a kind of anonymity label decryption method from certificate public key cryptosyst to identity public key system is provided, it is a kind of anonymity label decryption method that can realize simply efficiently from certificate public key cryptosyst to identity public key system, simply to realize efficiently confidentiality, authentication property and the anonymity from certificate public key cryptosyst to identity public key system message transfer, simplification system, improve fail safe and efficiency of transmission.

The technical scheme that realizes the object of the invention is: the PKI to certificate public key cryptosyst user blinds, and calculates the bilinearity pair from certificate public key cryptosyst to identity public key system, then by result of calculation, message is carried out to anonymity and sign close and transmission.

Detailed process is as follows:

(1) system initialization step:

Certificate public key cryptosyst and identity public key system are chosen at random set of parameter from PKI function data storehouse, comprise cyclic group G and G that two rank are prime number q _t, the generator P of G, a bilinearity pair and three hash function H ₀: { 0,1} ^*→ G, $H_1:{\left\{\mathrm{0,1}\right\}}^n\×G\→Z_q^{*}$ With $H_2:G_T\→{\left\{\mathrm{0,1}\right\}}^n\×{\left\{\mathrm{0,1}\right\}}^n\×Z_q^{*},$ Here, { 0,1} ^*represent the set of the binary sequence composition of any bit long, n is the bit length of clear-text message, { 0,1} ⁿrepresent the set of the binary sequence composition of n bit long,

represent finite field Z _q=0,1 ..., q-1} removes element zero resulting multiplicative group, according to the parameter of choosing, and certificate public key cryptosyst selecting system PKI tpk and system private key tsk, identity public key system selecting system PKI mpk and system private key msk;

(2) user key generates step:

The user A of certificate public key cryptosyst generates PKI Y by oneself _awith private key x _a; The key generation centre PKG of identity public key system is the identity ID of user B _bas the PKI of user B, and according to ID _bcalculate the private key D of user B with msk _b;

(3) the close step of anonymous label:

According to the private key x of oneself _aidentity ID with the user B of identity public key system _b, the user A of certificate public key cryptosyst carries out anonymity to message m and signs and closely to obtain signing dense civilian C, and C is sent to user B;

(4) separate and sign close step:

Receive after the ciphertext C that the user A by certificate public key cryptosyst sends that the user B character right according to bilinearity of identity public key system is utilized oneself private key D _bciphertext C is separated to label close, obtain message m, authenticate sender's identity simultaneously.

Wherein system PKI tpk and the system private key tsk of the certificate public key cryptosyst described in step (1), and the system PKI mpk of identity public key system and system private key msk, generate in the following manner:

(a) certificate public key cryptosyst from

in choose at random an element as system private key tsk, and computing system PKI tpk=tskP, wherein symbol "-" represents the point multiplication operation on elliptic curve that group G is corresponding;

(b) identity public key system from

in choose at random an element s as system private key msk, and calculate P ₀=sP is as system PKI mpk.

The PKI Y of the described user A of step (2) wherein _awith private key x _a, and the private key D of user B _b, generate in the following manner:

(a) the user A of certificate public key cryptosyst from

in choose at random an element as the private key x of oneself _a, and the generator P of G in this private key and system parameters is multiplied each other, calculate the PKI Y of oneself _a=x _ap;

(b) according to the identity ID of system private key s and user B _b, the PKG of identity public key system calculates D _b=sQ _bas the private key of user B, wherein Q _b=H ₀(ID _b).

Wherein the user A of the certificate public key cryptosyst described in step (3) utilizes x _aand ID _bmessage m is carried out to anonymity and signs closely, calculate and sign dense civilian C, according to following process, carry out:

(a) user A is from { 0,1} ⁿin choose at random an element σ;

(b) user A calculates $H_1(\mathrm{\σ}\⊕m,Y_A),$ Be designated as $h_1=H_1(\mathrm{\σ}\⊕m,Y_A),$ Symbol wherein

represent bit XOR;

(c) user A calculates respectively h ₁y _a, be designated as C ₀=h ₁y _a, calculate $\left(\mathrm{\σ}\right|\left|m\right|\left|h_1\right)\⊕H_2\left(\hat{e}{(Q_B,P_0)}^{H_1{x}_A}\right),$ Be designated as $C_1=\left(\mathrm{\σ}\right|\left|m\right|\left|h_1\right)\⊕H_2\left(\hat{e}{(Q_B,P_0)}^{h_1{x}_A}\right),$ Wherein symbol " || " represents bit cascade;

(d) according to the result of calculating, user A output ciphertext C=(C ₀, C ₁), this ciphertext does not comprise the PKI Y of sender A _a.

Wherein the user B of the identity public key system described in step (4) utilizes the private key D of oneself _bciphertext C is separated to label close, according to following process, carries out:

(a) user B resolves to C=(C ciphertext C ₀, C ₁);

(b) user B calculates

be designated as ${\mathrm{\σ}}^{\′}\left|\right|m^{\′}\left|\right|h_1^{\′}=C_1\⊕H_2\left(\hat{e}(D_B,C_0)\right);$

(c) user B calculating (h ' ₁) ^-1c ₀, be designated as Y ' _a=(h ' ₁) ^-1c ₀;

(d) user B checking h ' ₁whether equal

if so, the PKI Y of B output message m=m ' and sender A _a=Y ' _a, otherwise think that ciphertext C is invalid.

The invention has the beneficial effects as follows: owing to can hide sender's PKI in signing dense literary composition, thereby protected sender's privacy; Due to only by a bilinearity to having realized confidentiality and the authentication property from certificate public key cryptosyst to identity public key system message transfer, avoided the advanced row digital signature of sender to encrypt again, or arrive first the public and private key of identity public key system application at recipient place, then in identity public key system, message is carried out to the close complex process of label based on identity, thereby simplified system, improved fail safe and efficiency of transmission; Method is simple and practical, has popularizing action.

Below in conjunction with accompanying drawing, the object of the invention, scheme are described further.

Accompanying drawing explanation

Fig. 1 is the schematic diagram communicating to identity public key system from certificate public key cryptosyst;

Fig. 2 is algorithm flow chart of the present invention;

Fig. 3 separates the flow chart of signing close step in algorithm of the present invention.

Embodiment

One, the applied mathematical theory of the present invention and technical term explanation:

1, bilinearity pair

In the present invention, bilinearity pair

a mapping that meets bilinearity, non-degeneracy and computability, it two element map in Groups of Prime Orders G to Groups of Prime Orders G _tin an element.Such as, be defined in Weil on super unusual elliptic curve to Tate to being exactly the bilinearity pair satisfying condition.

2, hash function

Hash function is exactly the input of random length to be transformed into a kind of like this one-way function of output of regular length, and this output is called the cryptographic Hash of this input.The hash function of a safety should meet following condition: 1. export length and fix, generally at least get 128 bits, to resist birthday attack; 2. to each given input, its cryptographic Hash can be calculated easily; 3. the description of given hash function and a cryptographic Hash, find corresponding input be calculate upper infeasible; 4. the description of given hash function, find two different inputs with identical cryptographic Hash be calculate upper infeasible.

3, relevant technologies term

Relevant technologies term of the present invention can be described as follows by Fig. 1:

(1) CA is certificate public key cryptosyst " certificate authority ", is responsible for issuing and managing public key certificate;

(2) PKG is identity public key system " key generation centre ", is responsible for generating user's private key;

(3) node A is a user of certificate public key cryptosyst, is the sender of message;

(4) Node B is a user of identity public key system, is the recipient of message;

(5) the certificate public key cryptosyst in the present invention and identity public key system can be systems independently, can be also two subsystems under certain public key cryptosyst.

Two, implementation procedure of the present invention

With reference to Fig. 1, Fig. 2 and Fig. 3, detailed process of the present invention is as follows:

Step 1, system initialization.

From PKI function data storehouse, choose at random set of parameter, comprise cyclic group G and G that two rank are prime number q _t, the generator P of G, a bilinearity pair

and three hash function H ₀: { 0,1} ^*→ G,

with here, { 0,1} ^*represent the set of the binary sequence composition of any bit long, n is the bit length of clear-text message, { 0,1} ⁿrepresent the set of the binary sequence composition of n bit long,

represent finite field Z _q=0,1 ..., q-1} removes element zero resulting multiplicative group; According to the parameter of choosing, certificate public key cryptosyst from

in choose at random an element as system private key tsk, and computing system PKI tpk=tskP, wherein symbol "-" represents the point multiplication operation on elliptic curve that group G is corresponding; Identity public key system from

in choose at random an element s as system private key msk, and calculate P ₀=sP is as system PKI mpk.

Step 2, user key generate.

The user A of certificate public key cryptosyst from

in choose at random an element as the private key x of oneself _a, and the generator P of G in this private key and system parameters is multiplied each other, calculate the PKI Y of oneself _a=x _ap; The key generation centre PKG of identity public key system is the identity ID of user B _bas the PKI of user B, and according to the identity ID of system private key s and user B _bcalculate D _b=sQ _bas the private key of user B, wherein Q _b=H ₀(ID _b).

Step 3, anonymity are signed close.

The user A of certificate public key cryptosyst utilizes x _aand ID _bmessage m is carried out to anonymity and signs closely, calculate and sign dense civilian C, according to following process, carry out:

(3a) user A is from { 0,1} ⁿin choose at random an element σ;

(3b) user A calculates $H_1(\mathrm{\σ}\⊕m,Y_A),$ Be designated as $h_1=H_1(\mathrm{\σ}\⊕m,Y_A),$ Symbol wherein represent bit XOR;

(3c) user A calculates respectively h ₁y _a, be designated as C ₀=h ₁y _a, calculate $\left(\mathrm{\σ}\right|\left|m\right|\left|h_1\right)\⊕H_2\left(\hat{e}{(Q_B,P_0)}^{H_1{x}_A}\right),$ Be designated as $C_1=\left(\mathrm{\σ}\right|\left|m\right|\left|h_1\right)\⊕H_2\left(\hat{e}{(Q_B,P_0)}^{h_1{x}_A}\right),$ Wherein symbol " || " represents bit cascade;

(3d) according to the result of calculating, user A output ciphertext C=(C ₀, C ₁), and this ciphertext is sent to recipient B, as shown in Figure 1, when the user A of certificate public key cryptosyst is during to the user B message transfer of identity public key system, user A carries out anonymity according to above process to message and signs closely, generates and signs dense literary composition transmission.

Step 4, solution are signed close.

As shown in Figure 3, as the dense civilian C=(C of label that receives that the user A of certificate public key cryptosyst sends ₀, C ₁) after, the user B of identity public key system utilizes the private key D of oneself _bciphertext C is separated to label close, according to following process, carries out:

(4a) deciphering

User B calculates

be designated as ${\mathrm{\σ}}^{\′}\left|\right|m^{\′}\left|\right|h_1^{\′}=C_1\⊕H_2\left(\hat{e}(D_B,C_0)\right),$ Wherein m ' is clear-text message, and calculates Y ' _a=(h ' ₁) ^-1c ₀pKI as sender;

(4b) authentication

By the σ ' obtaining above || m ' || h ' ₁and Y ' _a, the user B of identity public key system calculates $H_1({\mathrm{\σ}}^{\′}\⊕m^{\′},Y_A^{\′}),$ Checking h ' ₁whether equal $H_1({\mathrm{\σ}}^{\′}\⊕m^{\′},Y_A^{\′}),$ If so, the PKI Y of B output message m=m ' and sender A _a=Y ' _a, otherwise think that ciphertext C is invalid.

More than show and description has illustrated basic principle of the present invention, principal character and advantage of the present invention; The technical staff of the industry should understand, the present invention is not restricted to the described embodiments, that in above-described embodiment and specification, describes just illustrates principle of the present invention, the present invention also has various changes and modifications without departing from the spirit and scope of the present invention, and these changes and improvements all fall in the claimed scope of the invention; The claimed scope of the present invention is defined by appending claims and equivalent thereof.

Claims (6)

1. the anonymity label decryption method from certificate public key cryptosyst to identity public key system, it is characterized in that: the PKI to certificate public key cryptosyst user blinds, the bilinearity pair of calculating from certificate public key cryptosyst to identity public key system, then by the right result of calculation of bilinearity, message is carried out to anonymity and sign close and transmission.

2. the anonymous decryption method of signing as claimed in claim 1, is characterized in that, comprising:

(1) system initialization step:

Certificate public key cryptosyst and identity public key system are chosen at random set of parameter from PKI function data storehouse, comprise cyclic group G and G that two rank are prime number q _t, the generator P of G, a bilinearity pair

and three hash function H ₀: { 0,1} ^*→ G, $H_1:{\left\{\mathrm{0,1}\right\}}^n\×G\→Z_q^{*}$ With $H_2:G_T\→{\left\{\mathrm{0,1}\right\}}^n\×{\left\{\mathrm{0,1}\right\}}^n\×Z_q^{*},$ Here, { 0,1} ^*represent the set of the binary sequence composition of any bit long, n is the bit length of clear-text message, { 0,1} ⁿrepresent the set of the binary sequence composition of n bit long,

represent finite field Z _q=0,1 ..., q-1} removes element zero resulting multiplicative group, according to the parameter of choosing, and certificate public key cryptosyst selecting system PKI tpk and system private key tsk, identity public key system selecting system PKI mpk and system private key msk;

(2) user key generates step:

The user A of certificate public key cryptosyst generates PKI Y by oneself _awith private key x _a; The key generation centre PKG of identity public key system is the identity ID of user B _bas the PKI of user B, and according to ID _bcalculate the private key D of user B with msk _b;

(3) the close step of anonymous label:

According to the private key x of oneself _aidentity ID with the user B of identity public key system _b, the user A of certificate public key cryptosyst carries out anonymity to message m and signs and closely to obtain signing dense civilian C, and C is sent to user B;

(4) separate and sign close step:

Receive after the ciphertext C that the user A by certificate public key cryptosyst sends that the user B character right according to bilinearity of identity public key system is utilized oneself private key D _bciphertext C is separated to label close, obtain message m, authenticate sender's identity simultaneously.

3. decryption method is signed in anonymity according to claim 2, it is characterized in that, the system PKI tpk of the certificate public key cryptosyst in described step (1) and system private key tsk, and the system PKI mpk of identity public key system and system private key msk, generate in the following manner:

(3a) certificate public key cryptosyst from

in choose at random an element as system private key tsk, and computing system PKI tpk=tskP, wherein symbol "-" represents the point multiplication operation on elliptic curve that group G is corresponding;

(3b) identity public key system from

in choose at random an element s as system private key msk, and calculate P ₀=sP is as system PKI mpk.

4. the anonymous decryption method of signing according to claim 2, is characterized in that the PKI Y of the user A in described step (2) _awith private key x _a, and the private key D of user B _b, generate in the following manner:

(4a) the user A of certificate public key cryptosyst from in choose at random an element as the private key x of oneself _a, and the generator P of G in this private key and system parameters is multiplied each other, calculate the PKI Y of oneself _a=x _ap;

(4b) according to the identity ID of system private key s and user B _b, the PKG of identity public key system calculates D _b=sQ _bas the private key of user B, wherein Q _b=H ₀(ID _b).

5. the anonymous decryption method of signing according to claim 2, is characterized in that, the user A of the certificate public key cryptosyst in described step (3) utilizes x _aand ID _bmessage m is carried out to anonymity and signs closely, calculate and sign dense civilian C, according to following process, carry out:

(5a) user A is from { 0,1} ⁿin choose at random an element σ;

(5b) user A calculates $H_1(\mathrm{\σ}\⊕m,Y_A),$ Be designated as $h_1=H_1(\mathrm{\σ}\⊕m,Y_A),$ Symbol wherein

represent bit XOR;

(5c) user A calculates respectively h ₁y _a, be designated as C ₀=h ₁y _a,

Calculate $\left(\mathrm{\σ}\right|\left|m\right|\left|h_1\right)\⊕H_2\left(\hat{e}{(Q_B,P_0)}^{H_1{x}_A}\right),$

Be designated as $C_1=\left(\mathrm{\σ}\right|\left|m\right|\left|h_1\right)\⊕H_2\left(\hat{e}{(Q_B,P_0)}^{h_1{x}_A}\right),$ Wherein symbol " || " represents bit cascade;

(5d) according to the result of calculating, user A output ciphertext C=(C ₀, C ₁), this ciphertext does not comprise the PKI Y of sender A _a.

6. the anonymous decryption method of signing according to claim 2, is characterized in that, the user B of the identity public key system in described step (4) utilizes the private key D of oneself _bciphertext C is separated to label close, according to following process, carries out:

(6a) user B resolves to C=(C ciphertext C ₀, C ₁);

(6b) user B calculates $C_1\⊕H_2\left(\hat{e}(D_B,C_0)\right),$

Be designated as ${\mathrm{\σ}}^{\′}\left|\right|m^{\′}\left|\right|h_1^{\′}=C_1\⊕H_2\left(\hat{e}(D_B,C_0)\right);$

(6c) user B calculating (h ' ₁) ^-1c ₀, be designated as Y ' _a=(h ' ₁) ^-1c ₀;

(6d) user B checking h ' ₁whether equal

if so, the PKI Y of B output message m=m ' and sender A _a=Y ' _a, otherwise think that ciphertext C is invalid.

Images